The Complete Course from ExamCollection industry leading experts to help you prepare and provides the full 360 solution for self prep including PCNSA: Palo Alto Networks Certified Network Security Administrator Certification Video Training Course, Practice Test Questions and Answers, Study Guide & Exam Dumps.

Chapter 3 - Security and NAT Policies

4. 3.4 Destination NAT configuration

On this video, we are covering PC NSA 210. This is chapter three on security and NAT policies. And this is the fourth video of chapter three, which is 3.4 destination Nat configuration. Destination Nat is now frequently used to provide host access to private internal servers via the public or external network. Usually it demonstrates zones for accessing web servers, or maybe accessing email servers or FTP servers or something like that. Destination Net will translate destination IP addresses to an alternate destination IP address. When we configure a destination network address, translation and security policies are what we worry about on the net. So we have to think about the PreNet information, i.e., When we configure destination net,we go to Policies Nat. When we add network translation, when we look at policies, we will look at PreNet information like PreNet zones and PreNet addresses, where they come from and where they are going.

And when we configure a security policy, it's exactly the same thing. We look at the prenat source address and prenat destination address, but the security policy also looks at the postnat zone at the other end, where we end too. I will configure this for you to demonstrate this for you. I already have a machine here that has a SIP address on the outside zone. Well, I just pretty much moved this machine to the outside zone and gave it this IP address, and I'm going to demonstrate how to configure our destination now. So I'm going to translate this IP address. I'm going to translate it to 203 011310.Now, when this PC is trying to get to that IP address, it will obviously go to the firewall first and firewall.When it sees that IP address, it will translate it to the IP address of UbuntuServer, and we will access FTP servers there. Okay? So that's the idea. So I'm just going to show you the outside PC that I already have, which is this one here. So look at the command prompt. So if I do IP config config two or threeone 3200, that's the IP address on the outside. And obviously, it doesn't know the IP address of the Denvertried zone, which is what it will be if I go there, if I try, for example, an FTP.

That's the idea. In the end, what are we going to be doing? We're going to be accessing FTP code and forward slashes: two, three, dot, zero, dot, one, one, three, dot, ten. But obviously at the moment, we haven't configured anything. So it's not going to work. We can't access it. Okay, so let's get going. Okay, so to configure it, it's a two-step process. First we have to configure the net rule, and after that we come back and configure the policy rule to enable that net rule. So to configure the Net rule, we go to Policies, and we're going to configure Net. So click Net and then add this is goingto be a destination net to demilitarise zone. And, of course, you'll fill all of this out. The original packet, the source zone, where is it coming from? Well, if you look forexample, it's coming from outside. Right? So source on is outside and then destination zone. At this point, it kind of confuses people because they say the destination zone is the DMZ. Well, not really, because this PC doesn't really know if this server is in the DMZ or inside the zone. So you don't really know that the source is outside and the destination is going to be outside because it's hitting the IP address here on the outside network. So the IP address is going to be an outside address. So, destination zone, it's still outside. Okay, so destination zones are outside destination interfaces. Well, that's going to be an Ethernet one. And the service that we want to use is for FTP service. FTP. Okay, so coming from outside, goingto outside and destination address. Well, we're going to put the destination address, which is going to be our public address. 230-11310. That's our public address. source and address. We don't know the source address, and then we're going to go translate it. So what's going to happen after it goes inside? Well, the destination address translation we're going to do now So for translation type, we're going to have a static and translated address.

What's going to happen? Well, it's going to be translated to one, nine, two, one, six, eight, fifty, ten. That's the address that we can translate. We can even translate the port number as well if we want to. So click Okay. Now that is the destination, not the demilitarised zone. source is outside. The destination zone is outside. So the source zone is outside. Destination zone, outside destination interface, Ethernet 1, one source address. We don't know of any address destination addresses that will indicate that the web service in the web server's public address is FTP. And then what's going to happen once we translate it? We translated it to this address. Okay, so that's done. The nat. So we need to go to the security policy and create a security policy to allow that net to work. So we click "add" and we can say "outto DMZ FTP," and we leave it as a universal source. Well, the source zone is going to be outside, and here the destination is postnatal, after the net has done its thing. So the destination zone is going to be DNZ here, and that's the application services. We leave it as is. And the action we can sayallow and I click okay, right. So the source address can be any because we don't know the destination address, but in the destination address we can put the server's IP address, which is two or three, a public address, two or 301-1310, that's the server's IP address when he goes from anywhere to that server in a low-rate zone.

We can allow that traffic as long as it's FTP-based, and we can commit to that. so the commit has been completed successfully. That's good. Well, let's go to our machine and see if we can access it. At that point, we didn't. We couldn't. So let's try again. Okay, so we have a username and password. That means that it actually did access that server. So, if I enter a user name and password, I have access to that server, the server in the demilitarised zone. Okay, just to show you how we did it, we configured the net first, and we said source zone. We gave it a name, and we said source zone. Outside destination zone is outside still. So the outside world doesn't know what the destination zone is going to be like. The interface is going to have an outside-facing interface source address. Is there any address from the Internet destination address that we don't know who? two or three. Well, that's the public address of the Web server service. We said FTP, and then we could not translate that address to the FTP server inside. So 109, 168,510. And then on security, we went and created non security. Then we created security to help that net work. And we allowed the traffic and source to be outside of any address or user destination zone. When you do a security policy, you have to look at the post-NAT destination zone. It's a diminutized zone. And the address, the destination address, is a pre-NAT address. Okay, so let me show you these two screens again. So when you configure that everything is PreNet, everything you have to think of is PreNet. When you configure the security policy, everything is PreNet except the end zone, the destination. So that is the post-net zone.

5. 3.5 Lab: Security and NAT Policies

On this video, we are covering PC NSA 210, and this is our Chapter 3 Security and Nat Policies. This is the fifth video of chapter three, which is 3.5 on lab security and NAT policies. So now in this video, we put everything together, whatever we learned in Chapter 3, and we put it into our lab. and the lab is going to be the first thing we're going to do in the lab. We're going to create tags and use them later with the security policy. Now, if you remember the tags, there were colorcoded labels that enabled us to group something or sort and filter objects using keywords. Then we're going to create a basic source rule to allow ad hoc access and an associated security policy rule to allow the traffic. So we first create a source network, and then we create a security policy to associate them. Then, to allow flat traffic, we'll create a destination NAT rule for the FTP server and another security policy to go along with it. So this is a lab topology that we'll be using. Now, it already has a basic configuration, and if you don't know how to configure the basic one, you should watch videos in chapters one and two. I already have zones configured, and I already have interfaces placed in that zone with the correct IP addresses. So on this video, we have covered chapter three, whatever we covered in chapter three, which is Nat, and we have a source network and we have a destination that we can both configure, and we can configure security policy as well. And the idea is that we can create a source network that will translate IP addresses and port numbers from this network to the outside, anything from 192-1681, sorry, 1921-921-6810-424. We will create a NAT policy there that is a source net. And then we create a security policy as well. And then we can create destinations at the destination, not anything that comes from outside of our demonstration zone. Okay, so I already have—if I show you, I already have a connection to my firewall. And as you can see, there's nothing on the policies. We only have the default intrazone and interzone policies, which are read only, but we can override that if you want to. And to do that, you just select the policy and then select override, and then you can change, for example, login or even action settings. And we don't have any netting policies either. And I already have my machine, thePC in our network, inside the network. If you have a look at our topology, we have Windows 7 and the firewall I just showed you. So this one is Windows 7. And if I go to open a command prompt and just check Ipconfig, I have 192-1681, 200, that's the IP address of the PC, and if you compare that to the gateway, which is 192-1681, which is the internal address on the firewall, I should be able to ping that gateway. Ping's IP address is 192-1681. And I've got a reply from my gateway. I should not be able to ping anything outside. For example, like a Google server I'm not ableto ping because there is no net or thereis no actually security policy that's interzone communication. Anyway, if I go to my firewall again, the first thing that we're going to configure is that we're going to configure tags that we're going to use with a security policy and to configure tags that are color-coded labels. You go to objects and then tags, and they're already predefined with two tags, but we can create our own tags. So for example, the first is going to be in toout and this tag is going to be we put thecolor, you can just put green, for example, green. And in the comments, you can type more comments out, and then we have another color, for example, or another tag out to DMZ. Let's use a red colour for this and possibly into the DMZ, and maybe for the color. Okay, so these are three different tags that we can apply to our security policy and use to search or filter objects. The next thing we're going to configure is the NET role. So for that, we need to go to policies, select Net, and then click Add. And the idea is that we will configure a rule from the inside out. so from the internal zone with our network IP address. So dynamic, dynamic IP and portnetfrom in to out into out. And you can put in a description. Something that makes sense is something that, six months down the line, you know what this NAFTA policy rule is actually doing. And then we can add a tag. For example, let's put "out" for this tag let's put into out.And if we want to grow, if we want to group rules by this tag, we can just put that in as well. This is a net type; it's IPV 4. We can have NAT 64 or NAT v six.And all of these comments, for example, by astrid date and time here, would be corrected in the original packet. Now this is how the packet will look before it is translated. The original packet, the source, is going to be from inside, and the destination, where it is going, is going to be outside, and the destination interface is going to be Ethernet one one.Now, for the source address, we can put the address of our network, for example, 1921-681-0424, which means everybody in our network, all the PCs in our network. And then we could have created the address object to have this as a name rather than just an IP address. But for that, you should watch the videos. It goes into more detail on how to create security policy rules. Then once the address is matched, we translate the address and click on the translated address. As you can see there's two types of translations. We can either do source address translation whichis this one here, source address translation orwe can configure a destination address translation. We do this after. First we're going to do a source address translation. So what will happen is translation type. So once there's a match, we can translate the port and the IP address, or we can have a destination address for destination address translation, just the IP address without the port, or we can have static. But now that we're doing dynamic IP, we can translate it to some addresses that we've purchased and add them here, or we can translate it into a specific outside interface, which in our case is Ethernet one one.So, for example, if you look at this, we're going to take it from wherever it's coming and translate it to this Ethernet interface and then this IP address. So Ethernet 11 is the IP address. Okay, now that's done with our net policy done.So, from inside to outside, source inside to outside destination interface, Ethernet one source address, any address on that network, destination address, and any services. We said any, and then that's going to happen once it's translated. To test this, I'm going to actually ping that Google server. So ping eight eight, and I'm going to set the spring to continue. These pins should start working as soon as we commit the net and the policy rule. So if I go back, I've done the NAT; now I need to do the security policy rule. So the security policy rule is a top-to-bottom list. is going to read it? Yes, the most explicit rules need to be at the top. In any case, these are two implicit rules anyway.So I'll click "add," and this is going to be "into out," "into out rule," and "rule type." You can see it's universal. We can have an intro zone or an interzone. So universality and description are up to you. similarly to net and tags Again, this one I'm going to put into out, and then green group rules by tab, by tags, another green tag into out, and again, the comments. Yeah, so I'm not going to actually type these because it'll just increase the time in our videos. But you need to write the comments. So source address source will be sorry. So we're going to be from inside and source address again, and if I had my address objects, I could just put them in instead of writing them all the time. Like this, I can just click on that and it will appear. Okay, so users, we don't have any user IDs at the moment. We just can keep as a user and all ofthese check here, the videos 3.1 explains what these are. Destination and destination zone will be outside and application; we haven't discussed appID or service URL category, nothing. We just leave it as a default, and the action is going to be allowed. We log in at the session end; we can log in at the session start, but that's what's troubleshooting the action. We can say, for example, "allow" or "deny." Deny obviously it's going to drop allow, it's goingto forward the traffic or we can say drop. Drop we can send obviously will drop the packetbut it will reply with the ICMP unreachable message. Same thing. We can say it reset client, reset server, reset both. If we say, for example, reset both the client and the server, where the client is the initiator and the server is the responder, we can send them ICMP and make them reachable as well. But this time we're going to allow the traffic. We have not configured any login, so we're just going to leave that as a None profile setting. This is the next chapter, chapter five, I believe, and then we can schedule other settings. We haven't created any schedules on QS Market. For example, on the schedule, I have done it on video 3.2 or 3.3; I'm not sure, but you should be watching them. Like I said, it goes in more detail. So we created a security policy that will be associated with the net policy, and it will allow that traffic, right? If I commit this after I commit it once Igo back to my PC, I should see replies. I'm going to press commit, commit again. Okay, now the committee has been completed successfully. I can close this, and I already see some hit counts. I can see the first hit, last hit, and hit count. I'm pretty sure that this is replying now. Absolutely. So that policy is actually working. We can have a hit count on the NAT rule as well as the security rule. So I can see in the security rule that I have a hit count, but if I look at the.net rule as well, I'm going to have a hit count on that as well. See, that is working as well. Okay, it's not just those things. For example, I can now open Facebook or any other application and it will work because we did not specify which application we were talking about; we simply said any application. So I can open Facebook; I can ping; everything should work. All right, let me just log in there and see. We can also see on the monitor. So if I go to monitor and logs and then traffic, I can see that my PC is actually talking to the Google server, that DNS is pinging it, and that there will be an appearance on Facebook and whatever applications I use, such as web browsing, later on. So obviously Google base as well there. The next thing we're going to do iswe're going to create a destination net. Now, if you look at the lab for the destination Nat, what we're going to do is use this FTP server. So what we're going to do is use this server, UbuntuServer, which has an FTP service running on it. And we're going to create a destination that is going to allow traffic from the Internet to come in and access that FTP server. Now this firewall is going to translate. So, say, for example, let's just use that service's IP address. This created service's IP address is 203 01131 1310, right? Since he has ten inside, we're going to keep it at ten outside as well, right? When this PC located in an outside zone istrying to access this IP address, then the firewallwill translate that address to this address. So that address will become the destination for this address. And to do that, I need to actually, becauseI don't have another Windows Seven machine, I'm goingto actually show you how I'm going to movethis PC from inside to outside. Right? Easy. Okay, so the first thing is, I'm going to access my PC. So, close everything out, cancel everything. And then what I'm going to do is just change the settings. So on the settings, I'm going to go from VMnet one to outside zone VMT two. So I'm going to click that and click okay, then I'm going to go to the control panel and change the IP address to say that it's outside. So start with the control panel, then network and internet, and network and sharing center. And in here, I'm going to change the data center. I'm just going to give an IP address from outside. And if you look at my topology, it's 203-01-1320. And that one is going to have the gateway properties of IPV 4. And then this is what I'm going to put: 203 0113. Was it 200? Yes, the same subnet mask for the gateway is going to be 23013, one click away. OK, now this PC has magically moved from inside to outside. and I'm going to try and ping the gateway. So, launch the command prompt and type Ipconfig. Now you can see that IP address and then ping the gateway. So two or three dots at 0113 dot one, and I have access to my gateway. But if I ping, for example, the IP address of the server, which we said is 10, 230-1310, it's not going to work, right? Because, obviously, we lack configuration. And what we want is that when I do an FTP to that IP address, I should get something back. So if I do FTP 2030 one 1310, I should get a reply. I should have an access point where I can put my username and password anyway. That's the idea. So what I'm going to do is go to the policies, and this time I'm going to create a destination net. So add it; it's going to be outside of DMZ, and the tags I'm going to put out are DMZ-red and another red on the group's original packet. The source is going to come from outside. So anything from outside the destination zone Now you have to be careful, yourdestination zone is actually in the outside. So from outside to outside, So here I'm going to put destinations on the "outside source address" if any because I don't know the source address and the destination address are actually one address. So we're going to put 203-0113going to translate it translated. We're going to do the destination address here, and translation type is going to be, well, we can do static or we can do dynamic or none. We're going to do static, and the translated address is going to be 192-1685 one.We can also translate it to Portuguese if we want to. For example, if somebody is trying to go to this web server at port 80 and our web server is actually working at 80, we can actually translate the port as well and just click okay here. That's our Dimitri zone out to Dimitrize, so the source is outside and the destination is outside. So it's a pre-Nat translation. So translated, what will it look like before it is translated? So any source, everybody on the internet, is coming to that server, and the translator is going to be a destination translation here. The second step is to create a security policy to associate this network rule with in order to allow traffic. So go to security, and in here we have to worry about the destination zone. It's going to be after the nap has been translated. The only thing left is the translation. So out to DMZ and I'm going to leave DCMD now source is well it's going source zone is outsideand source address any nothing for users destination zone. Now this is post not after the translation is happened. So destination is going to be deliveredto the zone and the destination address. We can put the destination address of the server, which is one nine two. Sorry, this is the pre net.So 2030, one, 1310, and we can allow that traffic, log it, and click okay; now that's a configuration done. So show you again the Nat waszone is outside, destination zone is outside. So pre Nat, everything source interface, sourceaddress, any destination address, any no sorrydestination address of the server and thenhow we're going to translate that address? Well, it's going to translate it to the service address 50-10, and then on security policies, everything is pre-net except the destination zone. If the destination zone is DMZ, then the PreNet zone is outside sources; if any destination zone is DMZ, then the pre-NatIP address, the application, and everything else appears to be in jeopardy. Okay, let's see if it commits, and then we go and test it. Okay, now that we have committed successfully and closed that and I'mgoing to go to my PC, it is now site location andI'm going to try to it's already in, you see. It's already in because it was already okay, so let me exit from that and I'll quit or buy and then try again. FTP 23011, 310, and I are all connected here. So if I go to my firewall and go to "monitor" then logs and traffic Then you can see that I'm logging on traffic from I'mcoming from Diminutride zone now from outside going to DMZ andthen as the IP address of my PC and that's goingto here on using port 21 and FTP the application andthen the returning traffic as well as allowing then we cango in more detail of the packets. So if I click on this magnifying glass here,then it will open a bit more detail aboutthose packets, the source address and then destination address. Then what do we do with the net's IP address?